97
PHP seCurIty tools overvIew
is is safe, just not a good practice.
$confirmedINT = intval($id);
query("SELECT * FROM accounts WHERE id = $ confirmedINT ");
No mysql_real_escape_string() needed. Consider the following example.
$id = $_POST['accountID']; //accountID = 45, which
is fine
$safeID = mysql_real_escape_string($id); //falsely cleaned!
query("SELECT * FROM accounts WHERE id = $safeID");
e result is:
query("SELECT * FROM accounts WHERE id = 45");
In this case, mysql_real_escape_string() does nothing because accoun-
tID is an integer, and there is nothing to escape.
However, if accountID is changed to “1 OR 1 = 1”, now examine what happens.
$id = $_POST[accountID]; //accountID = "1 OR 1 = 1", which is NOT
fine
$safeID = mysql_real_escape_string($id); ...